Using a Java-based integration engine (Mirth, for the curious), I have a need to sign a SOAP payload that is passing through the engine. All I have is the raw unsigned SOAP XML and the ability to install extensions and call into Java APIs.
So far my google searches haven't revealed any APIs/frameworks that effectively allow me to effectively set WS-Security parameters and then pass it the raw payload to sign. Installing a 3rd party jar that supplies this capability isn't an issue if that's what is needed. I had a look at Apache-CXF and JAX-WS but from what I can tell they work with stubbed out Java classes, rather than raw payload.
Have I missed something obvious, or am I going to have to write a custom WS-Security implementation?
WSS4J library supports signing any XML parsed with DOM or STAX API (SOAP message or not). You can find examples in the source code of the unit tests (folders ws-security-dom for DOM API, and ws-security-stax for StaX API).
For example, if you are using the DOM API, the code of CertificateStoreTest#testSignatureDirectReference() shows how to sign a SOAPPart which is a SOAP payload parsed into a DOM Document.